b'              U.S. Department of Energy\n              Office of Inspector General\n              Office of Audit Services\n\n\n\n\nAudit Report\nManagement of the Department\'s\nPersonnel Security and Access\nControl Information Systems\n\n\n\n\nDOE/IG-0651                                 June 2004\n\x0cREPORT ON MANAGEMENT OF THE DEPARTMENT\'S\nPERSONNEL SECURITY AND ACCESS CONTROL\nINFORMATION SYSTEMS\n\n\n\nTABLE OF\nCONTENTS\n\n\n\n              Personnel Security and Physical Access Systems\n\n              Details of Finding ............................................................ 1\n\n              Recommendations .......................................................... 4\n\n              Comments....................................................................... 5\n\n\n              Appendices\n\n\n              1. Objective, Scope, and Methodology .......................... 8\n\n              2. Prior Reports ........................................................... 10\n\n              3. Management Comments ......................................... 11\n\x0c\x0c\x0cPERSONNEL SECURITY AND PHYSICAL ACCESS SYSTEMS\n\nSystem Modernization   While the electronic Department of Energy (Department)\nIntegration, and       Integrated Security System (eDISS+) in place at the time of our\nDevelopment            review may ultimately improve personnel security processing, the\n                       initiative was not designed to, and will not address, many of the\n                       functionality and access issues reported by a number of sites.\n                       Specifically, Central Personnel Clearance Index (CPCI)\n                       enhancement efforts will not include a number of site-level needs\n                       and will not reduce or eliminate the dependence on separate,\n                       locally developed and maintained tracking systems. In addition,\n                       the effort to improve physical access control systems was not well\n                       organized and lacked the capability to reduce duplicative and\n                       overlapping system development efforts.\n\n                                       Clearance Tracking Systems\n\n                       Although the Department plans to make further enhancements to\n                       CPCI, planned modifications will not address a number of site-\n                       level needs. Originally deployed in 1968, CPCI is used to\n                       maintain clearance data for Federal and contractor employees.\n                       However, according to site officials, it lacks a number of functions\n                       needed to effectively manage such information. Specifically,\n                       contractor officials told us that the current initiatives to enhance\n                       CPCI will not track special or temporary access authority (such as\n                       those required for nuclear material handling); provide electronic\n                       reconciliation with site-level personnel security tracking systems;\n                       or enable field sites to generate customized security reports.\n\n                       Planned upgrades to CPCI will also not increase access or enhance\n                       processing capabilities for contractor operated facilities. For\n                       example, contractors at a number of sites will not be granted\n                       sufficient access to make electronic updates to CPCI, requiring\n                       manual update processes to be used. Clearance terminations will\n                       continue to be made by methods such as "hand delivery" or faxing\n                       various forms to responsible Federal officials. As we observed in\n                       our report on Personnel Security Clearances and Badge Access\n                       Controls at Selected Field Locations (DOE/IG-0582,\n                       January 2003), manual termination methods tend to be more labor\n                       intensive, are susceptible to errors based on timing differences, and\n                       can increase the risk that individuals will gain access to sites even\n                       though their association with the Department has ended.\n\n\n\n\nPage 1                                                       Details of Finding\n\x0c         Responsible Headquarters personnel told us that they understood\n         site concerns regarding CPCI and that they were aware of cost and\n         data reliability issues associated with the use of manual methods.\n         Nevertheless, the Department planned to support the CPCI in its\n         present form and continue to restrict contractor access to the\n         system. While Headquarters officials indicated that they permitted\n         contractors to modify CPCI when serving under direct supervision\n         at Federal locations, they believed that extending access to\n         contractor personnel in private company locations could affect data\n         integrity. In subsequent discussions, Headquarters officials\n         clarified their comment and indicated that they did not want to\n         expand access to contractor personnel at government-owned and\n         contractor operated facilities. Headquarters system owners\n         indicated that the information contained in CPCI was highly\n         sensitive and that data entry functions could not be directly\n         entrusted to contractors. These officials maintained their position\n         even though they acknowledged that contractors maintain the same\n         data in local systems and understood that system level protections\n         were available.\n\n         The current modernization effort also will not address longstanding\n         problems with duplicative and redundant development and\n         maintenance of site-level security information systems.\n         Specifically, Headquarters security officials indicated that\n         sufficient resources do not exist to resolve CPCI functionality and\n         access issues discussed above. Accordingly, contractors at each\n         major site told us they must continue to develop and maintain\n         separate, but functionally equivalent personnel security systems.\n         We noted that problems with duplicate development have not\n         improved substantially since we reported the issue in our 2000\n         report on Corporate and Stand-Alone Information Systems\n         Development (DOE/IG-0485, September 2000). For example, our\n         review disclosed that each of the eight sites we visited or obtained\n         data from had developed and were maintaining a separate\n         clearance tracking system. Officials from the National Nuclear\n         Security Administration (NNSA) Service Center in Albuquerque\n         told us it cost over $660,000 to develop and maintain its personnel\n         security system.\n\n\n\n\nPage 2                                        Details of Finding\n\x0c                            Access Control Systems\n\n         Our audit disclosed that the Department maintains a number of\n         duplicative and overlapping physical access control systems. Such\n         systems, designed to limit or control access through electronic,\n         mechanical, or biometric means, are used to protect sensitive\n         material and sites across the complex. The Department\'s current\n         effort to improve physical access control systems will not reduce\n         duplicative and overlapping system development or increase the\n         ability to share data between these systems.\n\n         The Complex Wide Access Control (CWAC) project was designed\n         to provide a capability to allow sites to retrieve fundamental\n         information regarding Department and contractor employees\n         visiting Departmental sites. However, it lacked the capability to\n         reduce duplicative overlapping system development that is\n         occurring at the field sites. Furthermore, the project has not been\n         well defined. Even though the CWAC project has been in\n         planning or development since 1995, the Department has not yet\n         determined which sites will use it or how implementation will\n         proceed. In particular, while the sites we visited were aware of the\n         project, none understood the cost and schedule for implementation.\n         In addition, we learned that a cost-benefit analysis had not been\n         conducted and, despite a number of changes in scope and schedule,\n         the project plan had not been adequately updated. Had CWAC\n         been incorporated into the Department\'s E-government initiative, it\n         may have focused the development and deployment effort, helped\n         increase integration, reduced the number or type of separate\n         physical access control systems, and increased the return on the\n         $3.5 million invested in the project to date.\n\n         Even when in close proximity to one another, sites chose to operate\n         independent access control systems. For example, until recently,\n         Oak Ridge Reservation sites shared the same access control\n         system. However, in 2001, Oak Ridge National Laboratory\n         (ORNL) installed its own separate access control system that uses\n         proximity cards. Meanwhile, the Y-12 Complex (Y-12) is\n         considering replacing its access control system \xe2\x80\x93 which is shared\n         by the East Tennessee Technology Park \xe2\x80\x93 and may also use\n         proximity cards. However, responsible Y-12 officials we spoke to\n         had no plans to integrate this system with ORNL\'s new access\n         control system. Additionally, Los Alamos National Laboratory,\n         Sandia National Laboratories, and the NNSA Service Center each\n\n\n\n\nPage 3                                        Details of Finding\n\x0c                       maintained independent access control systems despite constant\n                       interaction among personnel assigned to the sites. Thus, frequent\n                       and cumbersome reconciliations were necessary to ensure\n                       appropriate access to these sites.\n\nSecurity Information   Efforts to modernize and improve the efficiency of personnel\nSystems Approach       security and physical access control systems were at risk because\n                       the Department had not developed a comprehensive security\n                       systems framework. Specifically, the Department had not\n                       determined the most effective method to manage personnel\n                       security and physical access across the complex. No central\n                       authority had been established and no organization had taken the\n                       initial step of developing a framework by identifying the universe\n                       of personnel security and access control systems and their\n                       associated costs. As we have noted in prior reports, absent a\n                       comprehensive framework to guide systems development\n                       activities, there is no mechanism to ensure that systems being\n                       developed are not duplicative or redundant and are able to\n                       communicate with one another. In addition, as we noted in the\n                       development of physical access control systems, the Department\n                       did not always apply sound project management practices such as\n                       cost-benefit analyses or the maintenance of up-to-date project\n                       plans for systems development initiatives.\n\nCosts and Security     The Department spent or plans to spend at least $13 million to\nRisks                  develop, implement, or maintain multiple systems that duplicate\n                       functionality and are not adequately integrated. This includes over\n                       $5 million for the separate access systems development efforts at\n                       the Oak Ridge Reservation. Without a comprehensive plan, the\n                       Department may be unable to restrict future duplicative\n                       development efforts or improve the cost-effectiveness and\n                       reliability of its security systems. Additionally, the lack of systems\n                       integration increased the risk that sites would grant access to\n                       unauthorized individuals based on ineffective or untimely\n                       information updates.\n\n\nRECOMMENDATIONS        We recommend that the Under Secretary for Energy, Science and\n                       Environment and the Administrator, National Nuclear Security\n                       Administration, in conjunction with the Director, Office of\n                       Security and Safety Performance Assurance and the Chief\n                       Information Officer:\n\n                          1. Develop a comprehensive framework for managing and\n                             integrating personnel security and access control systems\n                             Department-wide by:\n\n\nPage 4                                                                    Comments\n\x0c                          a)   Determining the universe of personnel security and\n                               access control systems across the complex and the\n                               costs associated with operating and maintaining these\n                               systems; and,\n\n                          b)   Developing and implementing a plan, based on data\n                               gathered and an assessment of corporate systems\n                               capabilities, for ensuring that personnel security and\n                               access control systems are not duplicative, have the\n                               ability to share data, and will provide maximum\n                               benefit to the Department.\n\n                      2. When selecting, developing and implementing future\n                         personnel security and access control systems, require that\n                         organizations comply with existing Office of Management\n                         and Budget (OMB) and other established standards and\n                         policies related to capital investment, project management\n                         and systems development. Specifically, ensure that all\n                         efforts include elements such as cost-benefit analyses,\n                         project plans, critical decisions and senior management\n                         oversight and approval.\n\n\nMANAGEMENT         Management generally concurred with the report\'s overall\nREACTION           conclusion and the intent of the report\'s recommendations.\n                   Management agreed that dependence by sites on duplicative,\n                   locally developed systems hampers efficiency and is not cost\n                   effective. However, management disagreed that the problems in\n                   this report derive from the Department\'s lack of a comprehensive\n                   framework for its personnel security and access control systems.\n                   Management also believed that the report should have emphasized\n                   the need for compliance with the Department\'s existing policies\n                   and procedures and OMB regulations regarding information\n                   systems planning, acquisition, development, and management.\n                   Management further indicated that the risk of expanding access to\n                   CPCI outweighs any potential cost or time savings. The Office of\n                   Security and Safety Performance Assurance also provided a\n                   number of technical comments regarding the report.\n\n\nAUDITOR COMMENTS   Management\'s comments are partially responsive to our\n                   recommendations. While we are encouraged that management\n                   agrees in principle and plans to address our recommendations, we\n                   disagree with its assertion that a framework is in place and that the\n                   Department has fielded a complete enterprise architecture. We\n\n\nPage 5                                                                Comments\n\x0c         found the lack of a security framework was a root cause of the\n         problems identified. Specifically, the examples of duplicate and\n         overlapping access control systems contained in this report\n         demonstrate that the Department does not have an agreed upon set\n         of standards or requirements for controlling development of new\n         personnel security and access control systems -- an integral and\n         essential component of a framework for making investment\n         decisions. Establishing a framework that includes a complete\n         enterprise architecture would give the Department the tools\n         necessary to determine how complex-wide needs should be\n         addressed. As noted previously, we have issued a series of reports\n         that highlight the lack of such a comprehensive approach to\n         information technology management.\n\n         With regard to management\'s concern that our report should\n         emphasize the need for compliance with existing Department\n         policies and procedures and OMB regulations, we agree and have\n         made several changes to the report and recommendations to reflect\n         that concern.\n\n         We also agree with management\'s position that the Department\n         needs to maintain strict control over CPCI and grant access only on\n         the basis of a legitimate "need to know." However, the contractors\n         we reference in this report operate Federal facilities, are subject to\n         Federal oversight, and many already have access to sensitive data\n         in order to perform their daily work. As noted in the report, secure\n         contractor access is possible by restricting the level of access or by\n         using batch processing techniques to monitor and control\n         contractor changes. For example, as we discussed with program\n         officials during our audit, batch techniques could eliminate manual\n         processing methods and permit electronic entry of data by\n         contractors while providing Federal officials with the ability to\n         review and approve the data prior to releasing it to the system.\n\n         Where appropriate we have incorporated management\'s technical\n         comments in the body of this report. Management\'s comments are\n         included in Appendix 3.\n\n\n\n\nPage 6                                                      Comments\n\x0cAppendix 1\n\nOBJECTIVE     The objective of this audit was to determine whether the\n              Department had adopted an integrated and cost-effective approach\n              for developing and maintaining personnel security and physical\n              access control information systems.\n\n\nSCOPE         The audit was performed between December 2002 and October\n              2003 at the National Energy Technology Laboratory in\n              Morgantown, WV, and Pittsburgh, PA; the Pittsburgh Naval\n              Reactors in West Mifflin, PA; Departmental Headquarters in\n              Washington, DC, and Germantown, MD; the Oak Ridge\n              Reservation in Oak Ridge, TN; the Los Alamos National\n              Laboratory in Los Alamos, NM; and the Sandia National\n              Laboratories and the NNSA Service Center in Albuquerque, NM.\n              We also obtained information from the Lawrence Livermore\n              National Laboratory in Livermore, CA.\n\n\nMETHODOLOGY   To accomplish our objective, we:\n\n                 \xe2\x80\xa2   Reviewed applicable laws and regulations pertaining to\n                     personnel security and access control systems. We also\n                     reviewed reports issued by the Office of Inspector General\n                     and the General Accounting Office;\n\n                 \xe2\x80\xa2   Reviewed the Government Performance and Results Act of\n                     1993 and determined if performance measures had been\n                     established for personnel security and access control\n                     systems;\n\n                 \xe2\x80\xa2   Reviewed numerous documents related to all personnel\n                     security and access control systems in operation or under\n                     development at the sites we visited;\n\n                 \xe2\x80\xa2   Reviewed documentation pertaining to Department-wide\n                     personnel security and access control initiatives, such as the\n                     OMB Exhibit 300 budget submission for eDISS+ and the\n                     CWAC budget plan; and\n\n                 \xe2\x80\xa2   Held discussions with program officials and personnel from\n                     Department of Energy Headquarters, including\n                     representatives from the Office of the Chief Information\n                     Officer, field sites visited, and the Department of Defense.\n\n\n\n\nPage 7                                Objective, Scope, and Methodology\n\x0cAppendix 1\n\n             The audit was conducted in accordance with generally accepted\n             Government auditing standards for performance audits and\n             included tests of internal controls and compliance with laws and\n             regulations to the extent necessary to satisfy the audit objectives.\n             Accordingly, we assessed internal controls regarding the\n             management of the Department\'s personnel security and access\n             control systems. Because our review was limited, it would not\n             necessarily have disclosed all internal control deficiencies that may\n             have existed at the time of our audit. While we examined a\n             number of systems access and control related issues, we did not\n             rely on computer-processed data to accomplish our audit objective.\n\n\n\n\nPage 8                               Objective, Scope, and Methodology\n\x0cAppendix 2\n\n                                      PRIOR REPORTS\n\n\n\xe2\x80\xa2   Management Challenges at the Department of Energy (DOE/IG-0626, November 2003).\n    The Department continued to experience challenges in a number of important areas,\n    including information technology management and national security. Specifically, the\n    Department had not fully satisfied the requirements of the Clinger-Cohen Act to effectively\n    manage information technology. The lack of a baseline to guide the acquisition and\n    management of information technology resources was one of the significant barriers\n    identified to achieving the objectives of the Clinger-Cohen Act.\n\n\xe2\x80\xa2   Personnel Security Clearances and Badge Access Controls at Selected Field Locations\n    (DOE/IG-0582, January 2003). At three of four field sites visited, minor discrepancies were\n    found in the recovery of badges. However, the fourth site had a significant number of badges\n    that had not been recovered from former contractor and other non-Federal workers.\n    Specifically, the site had not recovered badges for eight percent of the workers included in\n    the sample that had terminated their employment with the Department. These discrepancies\n    occurred because non-automated transmission of the data was not always effective. Further,\n    site badge officials did not always follow up with Department personnel security offices to\n    ensure that the termination information was received and that the clearance system was\n    updated.\n\n\xe2\x80\xa2   Personnel Security Clearances and Badge Access Controls at Department Headquarters\n    (DOE/IG-0548, March 2002). Due to problems with the Department\'s clearance and badging\n    controls, unauthorized individuals could gain access to Department Headquarters.\n    Specifically, the Headquarters badging system and the Central Personnel Clearance Index\n    contained inaccurate information regarding the status of employee terminations. The\n    inaccuracy of the information could allow unauthorized personnel to enter Department\n    Headquarters facilities and present a risk to national security. The systems contained\n    inaccurate data because program offices did not always provide information regarding\n    employee status to Headquarters Security Operations.\n\n\xe2\x80\xa2   Information Technology Support Services Contracts (DOE/IG-0516, August 2001). The\n    Department was not effectively managing the acquisition of information technology support\n    services. Problems arose because the Department had not developed and implemented a\n    framework for acquiring information technology support services in an efficient and\n    cost-effective manner. As a result, the report concluded that savings of as much as\n    $44 million may be possible over a three year period by adopting a Department-wide\n    approach.\n\n\xe2\x80\xa2   The Department of Energy\'s Implementation of the Clinger-Cohen Act of 1996\n    (DOE/IG-0507, June 2001). The Department had not satisfied major requirements of the\n    Clinger-Cohen Act. Specifically, it had not developed and implemented an integrated\n\n\n\n\nPage 9                                                                        Prior Reports\n\x0cAppendix 2\n\n    enterprise-wide, information technology architecture. Additionally, it did not acquire\n    information technology related assets in an effective and efficient manner. As a result of\n    these problems, potential operational efficiencies and savings totaling more than\n    $100 million were possible through better implementation of Clinger-Cohen requirements.\n\n\xe2\x80\xa2   Corporate and Stand-Alone Information Systems Development (DOE/IG-0485, September\n    2000). The Department had spent at least $38 million developing duplicative information\n    systems, and redundant computer systems existed or were being developed at nearly all\n    organizational levels within the Department. Specifically, there were 115 separate security\n    applications in place at five of the field sites sampled. The existence of duplicate information\n    systems occurred because the Department had not finalized a conceptual Information\n    Technology Architecture Plan to control development and the plan was only applicable to\n    Headquarters.\n\n\n\n\nPage 10                                                                         Prior Reports\n\x0cAppendix 3\n\n\n\n\nPage 11      Management Comments\n\x0cAppendix 3\n\n\n\n\nPage 12      Management Comments\n\x0cAppendix 3\n\n\n\n\nPage 13      Management Comments\n\x0cAppendix 3\n\n\n\n\nPage 14      Management Comments\n\x0c                                                                    IG Report No. DOE/IG:0651\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s overall\n   message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we have\n   any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Wilma Slaughter at (202) 586-1924.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                   U.S. Department of Energy Office of Inspector General Home Page\n                                        http://www.ig.doe.gov\n\n       Your comments would be appreciated and can be provided on the Customer Response Form\n                                      attached to the report.\n\x0c'